Tag Info

I'll answer in order:
Output size = input size That's correct, GCM uses CTR internally. It encrypts a counter value for each block, but it only uses as many bits as required from the last block. CTR turns the block cipher into a stream cipher.
IV of any size For GCM a 12 byte IV is strongly suggested as other IV lengths will require additional ...

Yes, it appears that it can be solved in practical time in $GF(2^n)$, if the attacker gets $n+\epsilon$ random $a_i$ values, even if he gets a single bit of the $a_i \times k$ values.
The chief observation is that the mapping from $a_i$ to bit $j$ of $a_i \times k$ (which I'll refer to as $bit_j(a_i \times k)$) is bitwise linear (for constant $j$, $k$).
...

Thanks @poncho for providing a correct answer.
I investigated it deeply, viewing it as a linear algebra problem.
Here's what I obtained:
in $GF(2^n)$, the series of equations $r_i=a_i\times k$ can be written as $R = K \cdot A$ where:
$A$ is a known $n \times n$ matrix, where each column is a bit representation of $n$, linearly independent, $a_i$
$R$ is a ...

GCM is sometimes called a 1.5 pass AEAD cipher, where the CTR encryption counts for 1 and the GMAC counts for 0.5. So you would indeed expect it to be faster than encryption + CMAC and HMAC with regards to the amount of CPU instructions.
That is: as long as the encryption is using AES for both solutions. GCM requires a 128 bit block cipher while CMAC and ...

Reusing an IV once opens you up to someone finding the XOR of those two plaintext, seriously compromising their confidentiality. Moreover, with GCM, a single IV reuse leaks significant information about the key used for authentication; if there are even a few pairs of reused IVs (not even one IV used many times; a few IVs each of which are used twice is ...